238 lines
9.2 KiB
Lua
238 lines
9.2 KiB
Lua
local nmap = require "nmap"
|
|
local shortport = require "shortport"
|
|
local stdnse = require "stdnse"
|
|
local string = require "string"
|
|
local vulns = require "vulns"
|
|
|
|
description = [[
|
|
Checks if a machine is vulnerable to MS12-020 RDP vulnerability.
|
|
|
|
The Microsoft bulletin MS12-020 patches two vulnerabilities: CVE-2012-0152
|
|
which addresses a denial of service vulnerability inside Terminal Server, and
|
|
CVE-2012-0002 which fixes a vulnerability in Remote Desktop Protocol. Both are
|
|
part of Remote Desktop Services.
|
|
|
|
The script works by checking for the CVE-2012-0152 vulnerability. If this
|
|
vulnerability is not patched, it is assumed that CVE-2012-0002 is not patched
|
|
either. This script can do its check without crashing the target.
|
|
|
|
The way this works follows:
|
|
* Send one user request. The server replies with a user id (call it A) and a channel for that user.
|
|
* Send another user request. The server replies with another user id (call it B) and another channel.
|
|
* Send a channel join request with requesting user set to A and requesting channel set to B. If the server replies with a success message, we conclude that the server is vulnerable.
|
|
* In case the server is vulnerable, send a channel join request with the requesting user set to B and requesting channel set to B to prevent the chance of a crash.
|
|
|
|
References:
|
|
* http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|
|
* http://support.microsoft.com/kb/2621440
|
|
* http://zerodayinitiative.com/advisories/ZDI-12-044/
|
|
* http://aluigi.org/adv/termdd_1-adv.txt
|
|
|
|
Original check by by Worawit Wang (sleepya).
|
|
]]
|
|
|
|
---
|
|
-- @usage
|
|
-- nmap -sV --script=rdp-vuln-ms12-020 -p 3389 <target>
|
|
--
|
|
-- @output
|
|
-- PORT STATE SERVICE VERSION
|
|
-- 3389/tcp open ms-wbt-server?
|
|
-- | rdp-vuln-ms12-020:
|
|
-- | VULNERABLE:
|
|
-- | MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
|
|
-- | State: VULNERABLE
|
|
-- | IDs: CVE:CVE-2012-0152
|
|
-- | Risk factor: Medium CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
|
|
-- | Description:
|
|
-- | Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service.
|
|
-- |
|
|
-- | Disclosure date: 2012-03-13
|
|
-- | References:
|
|
-- | http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|
|
-- | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
|
|
-- |
|
|
-- | MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
|
|
-- | State: VULNERABLE
|
|
-- | IDs: CVE:CVE-2012-0002
|
|
-- | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|
|
-- | Description:
|
|
-- | Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system.
|
|
-- |
|
|
-- | Disclosure date: 2012-03-13
|
|
-- | References:
|
|
-- | http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|
|
-- |_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
|
|
|
|
author = "Aleksandar Nikolic"
|
|
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
|
|
categories = {"intrusive", "vuln"}
|
|
|
|
|
|
portrule = shortport.port_or_service({3389},{"ms-wbt-server"})
|
|
|
|
-- see http://msdn.microsoft.com/en-us/library/cc240836%28v=prot.10%29.aspx for more info
|
|
local connectionRequest = "\x03\x00" -- TPKT Header version 03, reserved 0
|
|
.. "\x00\x0b" -- Length
|
|
.. "\x06" -- X.224 Data TPDU length
|
|
.. "\xe0" -- X.224 Type (Connection request)
|
|
.. "\x00\x00" -- dst reference
|
|
.. "\x00\x00" -- src reference
|
|
.. "\x00" -- class and options
|
|
|
|
-- see http://msdn.microsoft.com/en-us/library/cc240836%28v=prot.10%29.aspx
|
|
local connectInitial = "\x03\x00\x00\x65" -- TPKT Header
|
|
.. "\x02\xf0\x80" -- Data TPDU, EOT
|
|
.. "\x7f\x65\x5b" -- Connect-Initial
|
|
.. "\x04\x01\x01" -- callingDomainSelector
|
|
.. "\x04\x01\x01" -- calledDomainSelector
|
|
.. "\x01\x01\xff" -- upwardFlag
|
|
.. "\x30\x19" -- targetParams + size
|
|
.. "\x02\x01\x22" -- maxChannelIds
|
|
.. "\x02\x01\x20" -- maxUserIds
|
|
.. "\x02\x01\x00" -- maxTokenIds
|
|
.. "\x02\x01\x01" -- numPriorities
|
|
.. "\x02\x01\x00" -- minThroughput
|
|
.. "\x02\x01\x01" -- maxHeight
|
|
.. "\x02\x02\xff\xff" -- maxMCSPDUSize
|
|
.. "\x02\x01\x02" -- protocolVersion
|
|
.. "\x30\x18" -- minParams + size
|
|
.. "\x02\x01\x01" -- maxChannelIds
|
|
.. "\x02\x01\x01" -- maxUserIds
|
|
.. "\x02\x01\x01" -- maxTokenIds
|
|
.. "\x02\x01\x01" -- numPriorities
|
|
.. "\x02\x01\x00" -- minThroughput
|
|
.. "\x02\x01\x01" -- maxHeight
|
|
.. "\x02\x01\xff" -- maxMCSPDUSize
|
|
.. "\x02\x01\x02" -- protocolVersion
|
|
.. "\x30\x19" -- maxParams + size
|
|
.. "\x02\x01\xff" -- maxChannelIds
|
|
.. "\x02\x01\xff" -- maxUserIds
|
|
.. "\x02\x01\xff" -- maxTokenIds
|
|
.. "\x02\x01\x01" -- numPriorities
|
|
.. "\x02\x01\x00" -- minThroughput
|
|
.. "\x02\x01\x01" -- maxHeight
|
|
.. "\x02\x02\xff\xff" -- maxMCSPDUSize
|
|
.. "\x02\x01\x02" -- protocolVersion
|
|
.. "\x04\x00" -- userData
|
|
|
|
-- see http://msdn.microsoft.com/en-us/library/cc240835%28v=prot.10%29.aspx
|
|
local userRequest = "\x03\x00" -- header
|
|
.. "\x00\x08" -- length
|
|
.. "\x02\xf0\x80" -- X.224 Data TPDU (2 bytes: 0xf0 = Data TPDU, 0x80 = EOT, end of transmission)
|
|
.. "\x28" -- PER encoded PDU contents
|
|
|
|
local function do_check(host, port)
|
|
local is_vuln = false
|
|
local socket = nmap.new_socket()
|
|
-- If any socket call fails, bail.
|
|
local catch = function ()
|
|
socket:close()
|
|
end
|
|
local try = nmap.new_try(catch)
|
|
|
|
try(socket:connect(host, port))
|
|
try(socket:send(connectionRequest))
|
|
|
|
local rdp_banner = "\x03\x00\x00\x0b\x06\xd0\x00\x00\x12\x34\x00"
|
|
local response = try(socket:receive_bytes(#rdp_banner))
|
|
if response ~= rdp_banner then
|
|
--probably not rdp at all
|
|
stdnse.debug1("not RDP")
|
|
return false
|
|
end
|
|
try(socket:send(connectInitial))
|
|
try(socket:send(userRequest)) -- send attach user request
|
|
response = try(socket:receive_bytes(12)) -- receive attach user confirm
|
|
local user1 = string.unpack(">I2", response, 10) -- user_channel-1001 - see http://msdn.microsoft.com/en-us/library/cc240918%28v=prot.10%29.aspx
|
|
|
|
try(socket:send(userRequest)) -- send another attach user request
|
|
response = try(socket:receive_bytes(12)) -- receive another attach user confirm
|
|
local user2 = string.unpack(">I2", response, 10) -- second user's channel - 1001
|
|
user2 = user2+1001 -- second user's channel
|
|
local data4 = string.pack(">I2I2", user1, user2)
|
|
local data5 = "\x03\x00\x00\x0c\x02\xf0\x80\x38" -- channel join request TPDU
|
|
local channelJoinRequest = data5 .. data4
|
|
try(socket:send(channelJoinRequest)) -- bogus channel join request user1 requests channel of user2
|
|
response = try(socket:receive_bytes(9))
|
|
if response:sub(8,9) == "\x3e\x00" then
|
|
-- 3e00 indicates a successful join
|
|
-- see http://msdn.microsoft.com/en-us/library/cc240911%28v=prot.10%29.aspx
|
|
-- service is vulnerable
|
|
is_vuln = true
|
|
-- send a valid request to prevent the BSoD
|
|
data4 = string.pack(">I2I2", user2 - 1001, user2)
|
|
channelJoinRequest = data5 .. data4 -- valid join request
|
|
-- Don't bother checking these; we know it's vulnerable and are just cleaning up.
|
|
socket:send(channelJoinRequest)
|
|
local _, _ = socket:receive_bytes(0)
|
|
end
|
|
socket:close()
|
|
return is_vuln
|
|
end
|
|
|
|
action = function(host, port)
|
|
local rdp_vuln_0152 = {
|
|
title = "MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability",
|
|
IDS = {CVE = 'CVE-2012-0152'},
|
|
risk_factor = "Medium",
|
|
scores = {
|
|
CVSSv2 = "4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)",
|
|
},
|
|
description = [[
|
|
Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service.
|
|
]],
|
|
references = {
|
|
'http://technet.microsoft.com/en-us/security/bulletin/ms12-020',
|
|
},
|
|
dates = {
|
|
disclosure = {year = '2012', month = '03', day = '13'},
|
|
},
|
|
exploit_results = {},
|
|
}
|
|
|
|
local rdp_vuln_0002 = {
|
|
title = "MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability",
|
|
IDS = {CVE = 'CVE-2012-0002'},
|
|
risk_factor = "High",
|
|
scores = {
|
|
CVSSv2 = "9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)",
|
|
},
|
|
description = [[
|
|
Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system.
|
|
]],
|
|
references = {
|
|
'http://technet.microsoft.com/en-us/security/bulletin/ms12-020',
|
|
},
|
|
dates = {
|
|
disclosure = {year = '2012', month = '03', day = '13'},
|
|
},
|
|
exploit_results = {},
|
|
}
|
|
|
|
local report = vulns.Report:new(SCRIPT_NAME, host, port)
|
|
rdp_vuln_0152.state = vulns.STATE.NOT_VULN
|
|
rdp_vuln_0002.state = vulns.STATE.NOT_VULN
|
|
|
|
-- Sleep for 0.2 seconds to make sure the script works even with SYN scan.
|
|
-- Posible reason for this is that Windows resets the connection if we try to
|
|
-- reconnect too fast to the same port after doing a SYN scan and not completing the
|
|
-- handshake. In my tests, sleep values above 0.1s prevent the connection reset.
|
|
stdnse.sleep(0.2)
|
|
|
|
local status, is_vuln = pcall(do_check, host, port)
|
|
if not status then
|
|
-- A socket or data unpacking error means the POC didn't work as expected
|
|
-- Report the error in case we actually need to fix something.
|
|
-- Kinda wish we had a LIKELY_NOT_VULN
|
|
local result = ("Server response not as expected: %s"):format(is_vuln)
|
|
rdp_vuln_0152.check_results = result
|
|
rdp_vuln_0002.check_results = result
|
|
elseif is_vuln then
|
|
rdp_vuln_0152.state = vulns.STATE.VULN
|
|
rdp_vuln_0002.state = vulns.STATE.VULN
|
|
end
|
|
|
|
return report:make_output(rdp_vuln_0152,rdp_vuln_0002)
|
|
end
|